A method for dynamically associating, by a server, access rights with a resource includes the step of receiving, by the server, a request for a resource from a client. The server requests, from a policy engine, an identification of a plurality of access rights to associate with the resource, the plurality of access rights identified responsive to an application of a policy to the client. The server associates the resource with the plurality of access rights via a rights markup language. The server transmits the resource to the client with the identification of the associated plurality of access rights. An application program on the client makes an access control decision responsive to the associated plurality of access rights. The application program provides restricted access to the resource responsive to the access control decision.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method for dynamically associating, by a server, access rights with a resource, the method comprising the steps of: (a) receiving, by a server, a request for a resource from a client; (b) transmitting, by a policy engine executing on the server, a collection agent to the client in response to receiving the request; (c) receiving, by the policy engine from the collection agent executing on the client, client information; (d) applying, by a first component of the policy engine, policies to the client information to generate a dataset comprising a plurality of identifiers, each of the plurality of identifiers identifying a respective condition satisfied by the client information; (e) transmitting, by the first component of the policy engine to a second component of the policy engine, the dataset comprising the plurality of identifiers; (f) applying, by the second component of the policy engine, policies to the dataset to identify a plurality of levels of access rights associated with the resource; (g) requesting, by the server from the second component of the policy engine, the plurality of levels of access rights to associate with the resource; (h) signing, by the server, the resource with the plurality of levels of access rights via an extensible rights markup language; (i) transmitting, by the server, the resource signed with the plurality of levels of access rights to the client; (j) making, by an application program responsive to receiving from the server the signed resource, an access control decision using the plurality of levels of access rights, the application program executing on the client; and (k) providing, by the application program, restricted access to the resource responsive to the access control decision.
A method for dynamically controlling access to a resource involves a server receiving a request from a client. The server then sends a small program (collection agent) to the client to gather client information. The collection agent sends the client information back to the server, where a policy engine analyzes it. The policy engine determines access rights based on the client information by identifying satisfied conditions. The engine assigns access levels (e.g., read-only, edit) to the resource based on these identifiers. The server then "signs" the resource using a rights markup language, embedding the access levels within the resource. Finally, the server sends the signed resource back to the client. An application on the client reads the embedded access levels and restricts user access to the resource accordingly.
2. The method of claim 1 , wherein step (g) further comprises receiving, by the server, an identification of a plurality of levels of access rights including a right to retrieve a file.
The access control method described previously, where access rights are dynamically associated with a resource, further specifies that the server receives an identification of access rights that *includes* the right for the client to retrieve a file. Thus, alongside other potential access rights determined by the policy engine, the right to download or otherwise obtain the resource file is explicitly granted or denied.
3. The method of claim 1 , wherein step (g) further comprises receiving, by the server, an identification of a plurality of levels of access rights including a right to view a version of a file displayed using a version of the Hypertext Markup Language (HTML) standard.
The access control method described previously, where access rights are dynamically associated with a resource, further specifies that the server receives an identification of access rights that *includes* the right for the client to view the resource as an HTML document. This enables control over whether the client can view the resource's content in a web browser or similar application that renders HTML.
4. The method of claim 1 , wherein step (g) further comprises receiving, by the server, an identification of a plurality of levels of access rights including a right to receive output data generated by an execution of the resource on an application server.
The access control method described previously, where access rights are dynamically associated with a resource, further specifies that the server receives an identification of access rights that *includes* the right for the client to receive data output from running the resource on a server. This allows control over whether a client can see the results or processed data generated by the resource when it is executed remotely.
5. The method of claim 1 , wherein step (g) further comprises receiving, by the server, an identification of a plurality of levels of access rights including a right to print a copy of the resource.
The access control method described previously, where access rights are dynamically associated with a resource, further specifies that the server receives an identification of access rights that *includes* the right for the client to print a copy of the resource. This grants or denies the client's ability to create a physical copy of the resource.
6. The method of claim 1 , wherein step (g) further comprises receiving, by the server, an identification of a plurality of levels of access rights including a right to save a local copy of the resource.
The access control method described previously, where access rights are dynamically associated with a resource, further specifies that the server receives an identification of access rights that *includes* the right for the client to save a copy of the resource locally. This determines whether the client can store the resource on their own device.
7. The method of claim 1 , wherein step (g) further comprises receiving, by the server, an identification of a plurality of levels of access rights including a right to transmit via electronic mail a copy of the resource.
The access control method described previously, where access rights are dynamically associated with a resource, further specifies that the server receives an identification of access rights that *includes* the right for the client to email a copy of the resource. This restricts or permits the client to share the resource via email.
8. The method of claim 1 , wherein step (k) further comprises denying, by the application program, a request to retrieve the resource.
The access control method, where an application on the client restricts access to the signed resource based on its access levels, further specifies that the client application will *deny* a request to retrieve the resource. This means the user will be completely blocked from accessing the resource's content based on the access control decision.
9. The method of claim 1 , wherein step (k) further comprises denying, by the application program, a request to modify the resource.
The access control method, where an application on the client restricts access to the signed resource based on its access levels, further specifies that the client application will *deny* a request to modify the resource. This means the user is not permitted to alter or change the resource content, even if they can view it.
10. The method of claim 1 , wherein step (k) further comprises the step of denying, by the application program, a request to receive output data generated by an execution of the resource on an application server.
The access control method, where an application on the client restricts access to the signed resource based on its access levels, further specifies that the client application will *deny* a request to receive output data generated by the resource executing on a server. This blocks the user from seeing any processed results from the remote execution of the resource.
11. The method of claim 1 , wherein step (k) further comprises allowing, by the application program, a request to retrieve the resource.
The access control method, where an application on the client restricts access to the signed resource based on its access levels, further specifies that the client application will *allow* a request to retrieve the resource. This means the user is permitted to access the resource's content.
12. The method of claim 1 , wherein step (k) further comprises displaying, by the application program, a version of the resource displayed using a version of the Hypertext Markup Language (HTML) standard, responsive to a request to retrieve the resource.
The access control method, where an application on the client restricts access to the signed resource based on its access levels, further specifies that the client application will display a version of the resource using HTML in response to a request to retrieve it. This indicates that the viewing of the resource is facilitated within a web browser or similar HTML rendering environment.
13. The method of claim 1 , wherein step (k) further comprises allowing, by the application program, a request to receive output data generated by an execution of the resource on an application server.
The access control method, where an application on the client restricts access to the signed resource based on its access levels, further specifies that the client application will *allow* a request to receive output data generated by an execution of the resource on an application server. The user is permitted to see the processed result from remote execution.
14. The method of claim 1 , wherein step (k), comprises providing, by the application program executing on a second server, restricted access to the resource responsive to the access control decision.
The access control method, where an application on the client restricts access to the signed resource, is modified such that the application that provides restricted access runs on *another* server. Instead of the client application restricting access, a server application restricts access, indicating a multi-tiered architecture where access control is enforced server-side.
15. The method of claim 1 , wherein step (k) further comprises transmitting, by a second server, output data generated by executing the application program, access to the output data restricted responsive to the access control decision.
The access control method, where an application on the client restricts access to the signed resource, is extended to include a *second* server which executes the application and then transmits output data, with restricted access, back to the client. This means the second server not only makes access control decisions but also controls the dissemination of processed data based on those decisions.
16. The method of claim 1 wherein step (h) comprises signing, by the server, the resources with the plurality of levels of access rights using an extensible right markup language assertion grant.
The access control method described previously, where the server "signs" the resource using a rights markup language, specifies the use of an extensible rights markup language *assertion grant*. The server utilizes this grant to define access permissions.
17. The method of claim 1 wherein step (h) comprises signing, by the server, the resource with the plurality of levels of access rights using an expression of terms and conditions applicable to the resource using the Open Digital Rights Language standard.
The access control method described previously, where the server "signs" the resource using a rights markup language, specifies using the *Open Digital Rights Language (ODRL) standard*. This allows for the expression of terms and conditions that apply to the resource regarding usage.
18. A system for dynamically associating access rights with a resource comprising: a server receiving a request for access to a resource from a client; a policy engine executing on the server to: transmit a collection agent to the client in response to receiving the request, receive from the collection agent executing on the client, client information, a first component of the policy engine executing on the server to: apply policies to the client information to generate a dataset comprising a plurality of identifiers, each of the plurality of identifiers indentifying a respective condition satisfied by the client information, transmit the dataset comprising the plurality of identifiers to a second component of the policy engine, the second component of the policy engine executing on the server to: apply policies to the dataset to identify a plurality of levels of access rights associated with the resource, receive a request from the server for an identification of a plurality of levels of access rights to associate with the resource; wherein the server signs the resource with the plurality of levels of access rights via an extensible rights markup language, and transmits the resource signed with the associated plurality of levels of access rights to the client; and an application program executing on the client to: receive, from the server, a copy of the resource signed with the plurality of levels of access rights, make an access control decision in response to receiving from the server the resource signed with the plurality of levels of access rights using the plurality of levels of access rights, and provide restricted access to the resource responsive to the access control decision.
A system for dynamic access control includes a server receiving resource requests from clients. A policy engine on the server sends a client-side agent to gather information. The engine analyzes this data using policies, creating identifiers representing satisfied conditions. These identifiers are used to determine access levels for the requested resource. The server "signs" the resource with these access levels using a rights markup language before sending it to the client. An application on the client receives the signed resource, makes an access control decision based on the embedded rights, and restricts access to the resource accordingly.
19. The system of claim 18 , wherein the server further comprises a means for associating the resource with a right to retrieve the resource.
The dynamic access control system described previously, which includes a server, policy engine, and client application, also features the server possessing a *means for associating* the resource with the right to retrieve it. This enables the system to grant or deny a user's ability to download or obtain the resource file.
20. The system of claim 18 , wherein the server further comprises a means for associating the resource with a requirement to view a version of a file displayed using a version of the Hypertext Markup Language (HTML) standard.
The dynamic access control system described previously, which includes a server, policy engine, and client application, also features the server possessing a *means for associating* the resource with a requirement to view it using an HTML standard. This forces or allows a specific rendering of the resource.
21. The system of claim 18 , wherein the server further comprises a means for associating the resource with a right to receive output data generated by an execution of the resource on an application server.
The dynamic access control system described previously, which includes a server, policy engine, and client application, also features the server possessing a *means for associating* the resource with a right to receive output data generated by its execution on an application server. This controls access to the results of processing.
22. The system of claim 18 , wherein the server further comprises a means for associating the resource with a right to print a copy of the resource.
The dynamic access control system described previously, which includes a server, policy engine, and client application, also features the server possessing a *means for associating* the resource with the right to print a copy of it. This controls whether a client can make a physical copy.
23. The system of claim 18 , wherein the server further comprises a means for associating the resource with a right to save a local copy of the resource.
The dynamic access control system described previously, which includes a server, policy engine, and client application, also features the server possessing a *means for associating* the resource with the right to save a local copy. This determines if a client can store the resource on their own device.
24. The system of claim 18 , wherein the server further comprises a means for associating the resource with a right to transmit via electronic mail a copy of the resource.
The dynamic access control system described previously, which includes a server, policy engine, and client application, also features the server possessing a *means for associating* the resource with the right to transmit it via email. This controls whether a client can share the resource by email.
25. The system of claim 18 , wherein the application program further comprises a component for applying an access right in the associated plurality of levels of access rights to the request for the resource.
The dynamic access control system, featuring a client application restricting access, includes a client application component that *applies* an access right from the received set of access levels to the current resource request. This component actively enforces the identified rights.
26. The system of claim 18 , wherein the application program further comprises a means for denying a request to retrieve the resource.
The dynamic access control system, featuring a client application restricting access, includes the client application having a *means for denying* a request to retrieve the resource. This outright blocks user access to the resource content.
27. The system of claim 18 , wherein the application program further comprises a means for allowing a request to retrieve the resource.
The dynamic access control system, featuring a client application restricting access, includes the client application having a *means for allowing* a request to retrieve the resource. This permits user access to resource content.
28. The system of claim 18 , wherein the application program further comprises a means for viewing a version of the resource displayed using a version of the Hypertext Markup Language (HTML) standard.
The dynamic access control system, featuring a client application restricting access, includes the client application having a *means for viewing* a version of the resource displayed using an HTML standard. This enables the system to specifically render the resource within a web browser or similar environment.
29. The system of claim 18 , wherein the application program further comprises a connection to a client agent displaying on the client received output data generated by an execution of the resource on an application server.
The dynamic access control system, featuring a client application restricting access, includes the client application having a connection to a client agent that *displays* output data received from an application server which executed the resource. This component facilitates the visualization of processed results on the client device.
30. The system of claim 18 , wherein the server further comprises a transmitter sending the resource and the identification of the associated plurality of levels of access rights to an application program executing on a second server.
In the dynamic access control system, the server transmits the resource and access levels to an application running on a *second* server, rather than directly to the client application. This indicates a server-side component of the access control decision-making.
31. The system of claim 30 , wherein the application program executing on the second server further comprises a means for making an access control decision responsive to an access right in the associated plurality of levels of access rights.
In the dynamic access control system with a second server, the application on that server includes a *means for making* an access control decision based on the provided access levels associated with the resource. The second server determines authorization.
32. The system of claim 30 , wherein the application program executing on the second server further comprises a means for providing restricted access to the resource responsive to the access control decision.
In the dynamic access control system with a second server, the application on that server includes a *means for providing* restricted access to the resource based on the access control decision. This second server enforces the authorization decisions.
33. The system of claim 30 , wherein the application program executing on the second server further comprises an agent for transmitting output data generated by the application program to the client and providing restricted access to the output data responsive to the access control decision.
In the dynamic access control system with a second server, the application on that server includes an agent to *transmit* output data to the client, with restricted access to the output data based on the access control decision. The second server filters output data transmitted to the client based on access rights.
34. The system of claim 18 wherein the server signs the resource with the plurality of levels of access rights using an extensible right markup language assertion grant.
The dynamic access control system, where the server "signs" the resource using a rights markup language, utilizes an *extensible right markup language assertion grant* during the signing process.
35. The system of claim 18 wherein the server signs the resource with the plurality of levels of access rights using an expression of terms and conditions applicable to the resource using the Open Digital Rights Language standard.
The dynamic access control system, where the server "signs" the resource using a rights markup language, uses the *Open Digital Rights Language (ODRL) standard* to express terms and conditions that apply to the resource.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
November 8, 2006
September 10, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.